Domain based tunnel / Beryl AX / 4.9 beta 2

Experimenting with shovelling specific traffic down my tunnel based on domain to get UK based bbc websites (it wont work for cdn reasons i think but thats another story) but have come across an issue.

When i enter domains in the GUI and restart the tunnel i get errors in the server log:

Fri May 8 15:51:48 2026 daemon.crit dnsmasq[13242]: FAILED to start up

Fri May 8 15:51:53 2026 daemon.crit dnsmasq[13299]: bad option at line 1 of /tmp/dnsmasq.d/via_domain

Fri May 8 15:51:53 2026 daemon.crit dnsmasq[13299]: FAILED to start up

Fri May 8 15:51:53 2026 daemon.crit dnsmasq[13301]: bad option at line 1 of

The file itself contains:

~# cat /tmp/dnsmasq.d/via_domain

nftset=/bbcstatic.com/4#inet#vpn_table#dst_net10

nftset=/26u.co/4#inet#vpn_table#dst_net10

nftset=/account.bbc.com/4#inet#vpn_table#dst_net10

nftset=/bbci.co.uk/4#inet#vpn_table#dst_net10

nftset=/static.bbci.co.uk/4#inet#vpn_table#dst_net10

nftset=/bbc.co.uk/4#inet#vpn_table#dst_net10

nftset=/mybbc.co.uk/4#inet#vpn_table#dst_net10

nftset=/session.bbc.com/4#inet#vpn_table#dst_net10

nftset=/bbc.com/4#inet#vpn_table#dst_net10

nftset=/ichef.bbci.co.uk/4#inet#vpn_table#dst_net10

After a few seconds i lose all dns (not just to those domains) on the connected clients, nothing shows in AGH or anywhere else. Turning tunnel off or deleting those rules and all is fine again.

Is this some sort of parsing error with the GUI here?

Tunnel policy works on a device level but im getting this using the gui for a domain based filter.

AGH is running on the Beryl, Override DNS Settings of All Clients and Allow Custom DNS to Override VPN DNS are both turned on but have tried them off.

It looks to a invalid policy passed to nftables which then fails, dnsmasq fails to start by it.

What is your raw policy given in?

It could be there is a strange white space character after a new line which invalidates the dnsmasq configuration, since they may get stripped on the forum in case of posting.

Its a bog standard text-only raw paste from notepad into the GUI.
Also tried typing manually
I dont see any hidden control codes or characters and typing manually should exclude that.

How long is this list?, i know that nftsets have a limit atleast that is what I learned from Stangri's PBR it could be that the ipset is becoming too big.

Hi

MT3000 v4.9.0 Beta 2 should use ipset instead of nftset.

Did you import a LuCI backup file from another device or from an OP24-based firmware version?

Please try checking the following:

uci show route_policy.global.use_fw4
# If it exists, delete it
uci delete route_policy.global.use_fw4
uci commit route_policy

After that, restart the VPN and it should work normally again.

OK that was active and that did fix it.

I was on op24 a while ago but downgraded due to wanting Amnezia support so its likely left over from that despite multiple 4.8 and 4.9 firmwares.

I did try a factory reset 4.9b2 to install from scratch but found it refused to recognise my vpn config files as Amnezia, marked them as normal wireguard and refused to connect hence restoring.

Thanks for that, sorted for now. a test domain now does go through the tunnel. (Admittedly bbc still redirects somehow to international page but that’s unrelated)

Thank you for the update. We’re glad to hear that the VPN is now working properly.

That sounds a bit unusual, as MT3000 v4.9.0 beta2 should be able to import Amnezia VPN client profiles properly.

Could you please share the configuration file with us (with the server address and public/private keys redacted) so we can check it locally?

Ill do so but in a few days when im back from the current trip. Is it better as a PM due to server addresses (not sure i want my private infrastructure IPs on public forums).

I will do another full factory reset off this trip and paste it again along with log gathering.

Yes, if you have privacy concerns, you can send us a private message, or contact us via email at support@gl-inet.com.

Ive just factory reset and installd 4.9 beta 4 again from scratch to ensur things are ok.

This exact config was working fine on the same firmware on my old ported beta 1 onwards settings.

However when i try to enter them into the new one it wont accept. I think on the parameters.

[Interface]
Address = 10.12.0.10/24,fd11:0:0:2::10/64
PrivateKey =Redact
DNS = 172.17.2.1, fda8:421a:f699:0:fd79:3dd7:85a4:6451
MTU = 1280
Jc = 3
Jmin = 64
Jmax = 800
S1 = 8
S2 = 16
H1 = 3339112198
H2 = 4238541520
H3 = 2940724556
H4 = 1065151814
I1 = <b 0xc1c6163b00000001000000000000013aff000001000001280000000000000000060040f4000100003c0200000000ffffffffffffffff00070010d9da4bd0ad7e71fd18eabf6f92edde6b003c0010001d00120010168772d32602068332d32602068330020001400040000000a00050003026833001000050003026833001c0002400100150019a1d6bc73f27f7df8e1b04e7d5e8c9b0e4a3f2><r 10>

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint =myAmz2
PersistentKeepalive = 15
PublicKey = Redacted

In “Text” apply wont work - red border. In “Item” list it highlights the obfuscation parameters and wont save.

If i import the .conf directly then it “accepts” it and “connects” but doesnt work. Poking round the CLI suggests its trying to treat it as a Wireguard instead and as such no obfuscation so wont work at all.

The same settings work on mobiles, laptops and previously on 4.9 beta 1 (where i entered it) and beta 2, 3, 4 prior to reset.

FWIW if i strip I1 and H and paste the text in, the config does save at least so it suggests the parsing is getting stuck here.

Further update. This looks like a parser error. I can manually fix it by creating a file in /etc/wireguard/profiles/group/peerxxxx and echoing all the obuscation parameters there.

If i do that the the entire config works. Errors seems to be not parsing therefore not saving obfuscation.

It appears that H1–H4 exceed the limits currently supported by our implementation.

Could you please clarify the following:

1. Is this a self-hosted server, or is it provided by a third-party service provider?
2. If it is a self-hosted server, could you try adjusting the values to fall within the following ranges and see whether that helps?

H1: [5, 2147483647]
H2: [5, 2147483647]
H3: [5, 2147483647]
H4: [5, 2147483647]

Its self-hosted with the official git Amnezia on a RaPi.

Changing params isnt really practical due to 20 or so clients (not all mine) id have to re-configure.

The Beryl DOES work though if i manually set the file in /etc/wireguard/profile/group/peerxxxx with the values.

If i do that it all connects and all works so it seems the client implementation itself is fine using those values but the parser is rejecting them on both the text input or conf file input.

But the .conf input DID work on 4.9 beta 1 as thats how my original config got added in the first place.

Best i can do next week is set up a new server with new values as a test bed.

Is there a list of what parameters and values are currently accepted?

EDIT to add:

Even using H values in the ranges you specific the text paste parser wont accept them.

Remove I1 it still wont accept.

image1054×1015 77.7 KB

Can see the red highlight.

It will ONLY save with all H and I1 removed. S1,S2 is fine. Obviouslyy then it doesnt think its AWG so creates as a standard peer so i have to manually create the file in profiles/group/peerxxx with them.

It looks like you've run into another AWG limitation: the ranges defined by H1–H4 must not overlap.

We have already tested this locally, and after adjusting the H1–H4 values, the configuration file could be imported successfully:

image650×650 20.3 KB

Please refer to the following:

Jc:   [1, 128]
Jmin: [0, 1279]
Jmax: [0, 1279]
S1:   [0, 1132]
S2:   [0, 1188]
S3:   [0, 1216]
S4:   [0, 32]
H1:   [5, 2147483647]
H2:   [5, 2147483647]
H3:   [5, 2147483647]
H4:   [5, 2147483647]

The following constraints must also be satisfied:

• Jmin and Jmax must appear together.
• Jmin < Jmax.
• S1 + 56 ≠ S2.
• The ranges defined by H1–H4 must not overlap.
• I1–I5 must each be ≤ 64 KB.